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Information Commissioner's Office 


ICO consultation on the draft right of access 
guidance 


The right of access (known as subject access) is a fundamental right 
of the General Data Protection Regulation (GDPR). It allows 
individuals to find out what personal data is held about them and to 
obtain a copy of that data. Following on from our initial GDPR 
guidance on this right (published in April 2018), the ICO has now 
drafted more detailed guidance which explains in greater detail the 
rights that individuals have to access their personal data and the 
obligations on controllers. The draft guidance also explores the 
special rules involving certain categories of personal data, how to 
deal with requests involving the personal data of others, and the 
exemptions that are most likely to apply in practice when handling a 
request. 


We are running a consultation on the draft guidance to gather the views 
of stakeholders and the public. These views will inform the published 
version of the guidance by helping us to understand the areas where 
organisations are seeking further clarity, in particular taking into 
account their experiences in dealing with subject access requests since 
May 2018. 


If you would like further information about the consultation, please 


email SARguidance@ico.org.uk. 


Please send us your response by 17:00 on Wednesday 12 February 
2020. 


Privacy statement 


For this consultation, we will publish all responses received from 
organisations but we will remove any personal data before 
publication. We will not publish responses received from respondents 
who have indicated that they are an individual acting in a private 
Capacity (e.g. a member of the public). For more information about 
what we do with personal data see our privacy notice. 


Please note, your responses to this survey will be used to help us with 
our work on the right of access only. The information will not be used to 
consider any regulatory action, and you may respond anonymously 
should you wish. 


Please note that we are using the platform Snap Surveys to gather 
this information. Any data collected by Snap Surveys for ICO is 


stored on UK servers. You can read their Privacy Policy. 


Q1 Does the draft guidance cover the relevant issues about the right 
of access? 


xX Yes 
No 
Unsure/don’t know 


If no or unsure/don’t know, what other issues would you like to be 
covered in it? 


Q2 Does the draft guidance contain the right level of detail? 


Yes 
No 
xX Unsure/dont know 


If no or unsure/don't know, in what areas should there be more detail 
within the draft guidance? 


How should we deal with bulk requests? (Page 21) 

Could you give more detail on whether we can extend the deadline in these circumstances. It 
would seem unfair to have to delay answering other SARs whilst we deal with those sent in as part 
of a campaign. If it’s a complex bulk request, can we extend further? How should bulk requests 
be prioritised in relation to BAU requests? 


Can we clarify the request? (Page 23) 

Could you add guidance about what ‘a reasonable search’ would cover for a SAR from a member of 
staff who does not indicate the scope of their request? As most of such requests we receive are 
about employment disputes, we could ask the member of staff's immediate line management to 
search their records for any relevant personal data. However, the danger of this approach is that 
the individual may not want these staff to know that a SAR has been made - it may be because of 
fears of bullying, or that the individual does not want their new line manager to know that they 
had problems previously. So, when we acknowledge the request could we say that it would be 
helpful if the individual could explain the scope of the data that they require, but explain what our 
search will include in the absence of this information. 


Could we also extend the time-period if the individual does not respond until just before the 
deadline and wants data about a matter we weren't expecting them to ask about? 


On Page 32, it would be helpful to expand the advice on the provision of information verbally. An 
individual may request information over the telephone but, if that information is not readily 
available, is the expectation that the customer will receive a call back with the response, unless 
you have agreed a suitable alternative mechanism for providing the response? 


On Page 77, there should be more detail on the criminal offence of forcing an individual to make a 
SAR so that organisations are better placed to spot this and protect the data subject. 


Q3 Does the draft guidance contain enough examples? 


Yes 
xX No 


Unsure/don’t know 


If no or unsure/don’t know, please provide any examples that you 
think should be included in the draft guidance. 


Large data-heavy organisations routinely processing multiple sets of personal data about 
an individual and objects that they possess/own in different systems may also struggle to 
meet the deadline for responding to a data subject within one month if the time limit for 
responding starts before they have had the opportunity to clarify the individual’s 
requirements. Whilst an individual is entitled to ask for all the information held on them, 
the proposed approach will inevitably result in significant amounts of nugatory work being 
carried out preparing a full response relating to all the personal information held when 
only a small subset of that information is actually required. 


As a general comment, examples and case studies are useful in understanding and 
refining approach. More examples (or links to examples) across the board would be 
useful, as each section is so varied. 


Q4 


We have found that data protection professionals often struggle with applying and 
defining ‘manifestly unfounded or excessive’ subject access requests. We would 
like to include a wide range of examples from a variety of sectors to help you. 
Please provide some examples of manifestly unfounded and excessive requests 
below (if applicable). 


Would it be possible to include a scenario of receiving SARs from a regular requestor, who 
each time requests information about different matters or timeframes. Because of this, 
we don’t believe they can be deemed manifestly unfounded. However, the information 


requested can be sourced through other channels. Can the guidance include an indication 
as to whether it is acceptable to advise an applicant the information is available 
elsewhere, and redirect them to this route? 


Q5 On a scale of 1-5 how useful is the draft guidance? 
1 - Not at all 2 - Slightly 3 - Moderately 4 - Very useful 5 - Extremely 
useful useful useful useful 
O O O x 
Q6 Why have you given this score? 


Q7 


Q8 


On the whole the SAR guidance was clear, well written and provided clarity with many 
practical suggestions for organisations on how to comply. However, there were some 
areas to highlight/gaps in information, as detailed in our response. 


There were some good additions to the guidance, such as the bullet point of ‘Technical 
difficulties in retrieving the information’ to When is a request complex? (Page 18). 


To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Disagree Neither agree nor Agree Strongly agree 
disagree disagree 
O LJ LJ x] 


Please provide any further comments or suggestions you may have about the draft 
guidance. 


On Page 16 there is advice on when the time limit starts but none of the examples provided cover 
the scenario regarding when additional information is required to confirm the requester’s identity. 
Further guidance is provided on page 21 but could be better served earlier in the section to 
prevent any misunderstandings. 


When is a request complex? (Page 18) 
Suggest adding third party consultation - “Needing to ask third parties if they have concerns about 


disclosure and carrying out any subsequent ‘balancing’ acts”. We have found this process to be 
very time consuming as this can involve lengthy correspondence with third parties. Consultation 
may also lead to further material that falls within scope, and may in turn require further 
consultation. 

There may be a delay when third parties are unavailable for a time (away on a long holiday, sick 
leave or dealing with family problems etc). 


Q9 Are you answering as: 


O An individual acting in a private capacity (eg someone 
providing their views as a member of the public) 

O An individual acting in a professional capacity 

X On behalf of an organisation 

O Other 


Please specify the name of your organisation: 


Department for Transport 


What sector are you from: 


Information Rights Team 


Q10 How did you find out about this survey? 


O ICO Twitter account 
ICO Facebook account 
ICO LinkedIn account 
ICO website 

ICO newsletter 

ICO staff member 
Colleague 


Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 
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Thank you for taking the time to complete the survey. 


